Your Building’s RFID Access Tags Might Be Really Insecure

[Gabe Schuyler] had a frustrating problem when it came to getting into his building’s garage. The RFID access system meant he had to remove his gloves while sitting on his motorcycle to fish out the keytag for entry. He decided to whip up a better solution with less fuss.

His initial plan was to duplicate the keytag and to sew one into his gloves. Purchasing a 125 KHz RFID tag duplicator off eBay, he was able to quickly copy the tag, and create one that worked with his garage’s entry system. While the duplicate tags worked well, they were still too big to easily fit into a glove. Attempts to create a duplicate with a smaller tag failed, too. Eventually, [Gabe] turned up a ring complete with a compatible RFID chip, and was able to duplicate his entry tag onto that. Now, by wearing the ring, he can enter his garage and building with a simple wave of the hand, gloves on or off.

Of course, duplicating an RFID tag is no major hack. As per [Gabe]’s Shmoocon talk on the topic, however, it shows that many buildings are using completely insecure RFID access methods with little to no security whatsoever. Anyone that found an access tag lying on the ground could easily replicate as many as they wanted and enter the building unimpeded. It also bears noting that you can snoop RFID cards from further away than you might expect.

Barebones PIC RFID Tag

An inductor and 8-pin microcontroller are all that make up this barebones RFID tag. You might have done a double-take when first seeing the image above. After all, there’s nothing hooked up to the power and ground pins on the chip. As [Ramiro Pareja] explains in his post, the power is actually supplied via the I/O pins to which the inductor is soldered. It seems that each I/O pin has a parasite capacitor and a pair of clamping diodes inside the chip. When the AC current that is induced by the magnetic field of the RFID reader hits those pins, the capacitors charge and the clamping diodes form a bridge rectifier. This results in power being injected into the chip, which turns around and sends the RFID code back through the inductor.

This isn’t the first time that we’ve seen this concept. We featured a hack that is exactly the same except it used an AVR chip. This one uses a PIC 12F683 but should work with just about any 12F or 16F model. The code is written in Assembly and shouldn’t need any changes for different hardware. [Ramiro] does talk a bit about adding a decoupling capacitor to Vss and Vdd, as well as a tuning capacitor to the two I/O pins used above to help make the device a little more robust. But, as you can see in the video after the break, it works just fine without them.

Continue reading “Barebones PIC RFID Tag”

Using An AVR As An RFID Tag

A few years ago, [Beth] came up with the idea of using an AVR as an RFID tag. She’s gotten sidetracked with a few other projects in the meantime but her idea has surfaced again, this time as a duct tape RFID tag. The build is just four components: 0.1 µF and 1 nF capacitors, an ATtiny85 microcontroller, and 100 turns of 40 AWG magnet wire, all soldered together and placed on a duct tape substrate.

Like most RFID tags, the power is drawn from the reader through the coil, but even in low power versions the ATtiny is only rated down to 1.8 Volts. Since the microcontroller is only getting about 1 Volt from the coil, the clock oscillator of the ATtiny won’t work. This isn’t a problem in this build, because the coil is connected to the the clock input – the 125 kHz coming off the reader provides the clock. Very clever.

Of course, the microcontroller is going to need some firmware to send some bits to the reader, so she used the AVRFID firmware (check out the comments in the source for a great walkthrough) to transmit under the HID protocol, itself a derivative of [Beth]’s earlier work with the EM4102 protocol.

Not only are we impressed with this hack, we’re amazed [Beth] is still perfecting her work more than two years after her first post on the subject. That’s dedication and unbridled cleverness.

Via adafruit

Scratch Built RFID Tags

rfid

[nmarquardt] has put up an interesting instructable that covers building RFID tags. Most of them are constructed using adhesive copper tape on cardstock. The first version just has a cap and a low power LED to prove that the antenna is receiving power. The next iteration uses tilt switches so the tag is only active in certain orientations. The conclusion shows several different variations: different antenna lengths, conductive paint, light activated and more.